Securing Your WordPress: 5 Essentials to Fortify Your Site Against Hackers

Some people feel lazy when hear talking about security and don't follow very basic instructions. Of course, as long their website won't be hacked. Others become crazy and lock everything that is possible, making the user experience worse. Let's fit the gold middle and secure WordPress from the most often threats, but without becoming paranoid. Following these tips will save you from using heavy and expensive security plugins.

Here I must say a couple of words about very basic things that are related to security. The next information is only for beginners, feel free to skip it if you feel self-confidence in basic security questions.

So, you must know that most hacks happen not due to vulnerability in code, but due to rough mistakes in using the software. Read what must a good WordPress developer know to understand what should be learnt by you to use WordPress properly.

Any password must contain 16+ random characters, including special characters. Hackers have lists of commonly used phrases and use them in brute-force attacks. They can easily get access to your admin panel, in case your password isn't a random string. Never, ever use names or words in your password.

Even with developers. If you need to get some work done by them, create for them a separate account. And always change the password for that account after they've done tasks.

Writing on paper is a bad idea. Storing in online services also may be a bad idea. The best case is using an offline app. There are plenty of programs that allow storing passwords securely. For example, our agency for keeping all credentials, including clients, uses KeePassXC.

Do it via secure channels or change the password in a short time after sharing. Even if you need to share a password with your client, ask them for changing the password after receiving it. Slack or messenger channels aren't fit for this goal.

A secure channel doesn't mean offline. It can be various services, that provide a one-time link, or even a mail vendor, like Proton, that provides password-protected emails.

It's the most common mistake of beginners. They see how many options there are to customize a website and begin to install all plugins and try all themes that can be found. Usually, prefer free or nulled (hacked). Most of these plugins WILL contain viruses or vulnerabilities, it's a price of accessibility.

If we talk about free plugins, you can secure your WordPress by downloading plugins ONLY from the official WordPress repository. Or from the built-in Plugins item in your WordPress admin menu, which is the same. Also, check the number of active installations, which must be bigger than 100. And pay attention to the last updated date, that must be less than a year ago.

If we talk about paid Pro plugins, make sure that you're purchasing on an official website, and that there are independent reviews that confirm the quality of the plugin. For sure, not from words on their website, but from other resources.

Verifying things before installation is a very important skill. A bad theme or plugin not only makes your website insecure but also slows it down.

The brute force of login credentials is the most often practice of hackers. They send hundreds of requests to your website via the login page. Even if you have a strong password it still creates extra loading to your website. Plus, if you're a developer, you can't guarantee that the owner or his editors won't use weak passwords. This step will be an extra layer that will protect admin accounts.

To secure WordPress from brute force, we use the WPS Hide Login plugin to change the login url. It can be done easily, and furthermore, it won't change the admin url for authorized users. So it only locks wp-admin and wp-login.php from unauthorized users, editors and admins must visit a new url to login, and then can use ordinary wp-admin to access the admin panel.

You can use the hCaptcha or Simple Google Captcha plugin to add a captcha to the login page. Both work well with the plugin above and add a captcha via code hooks. Which means they will work with any custom login URL. We recommend using the hCaptcha plugin, as the service respects user privacy, unlike Google Captcha.

Both plugins add the captcha code but do not sign up a service account for you. You must sign up and get credentials from hCaptcha.com or Google ReCaptcha, depending on the chosen plugin.

REST API allows getting a list of usernames without trouble. Hackers still will need to get a password, but hey, let's make their life even worse. Plus, even the names (usernames) of editors of your website can be a part of private information, what is the goal to share it with the whole world? REST API is used in WordPress for example by Gutenberg editor (and different plugins), so completely disabling will break the work of a WordPress website.

The golden middle is disabling REST API for unauthorized users. It won't create any issues for authorized editors and admins but will secure WordPress against leaking usernames to third-party faces.

We use the Disable REST API plugin for this goal, and by default, it's configured to disable only unauthorized users, so you can just enable the plugin and don't make any extra steps.

Directory browsing is an insecure feature, that allows seeing a list of files in a request folder via browser, in case the 'index.php' file is missing. To find vulnerabilities in your plugins and themes hackers must know their file structure.

WordPress has the index.php stub for all the basic folders, like /wp-content/, /wp-content/plugins/, and /wp-content/themes/, but can't guarantee that every plugin or theme developer does the same. For this goal, you need to make sure that your web server doesn't allow directory browsing.

Try to visit YOUR_DOMAIN/wp-includes/ in your browser. If you see the 'Not Found' message, it means your server already doesn't allow it, you can skip this item. In case you see a list of files, you must do extra actions to disable directory browsing.

To do this, we need to modify the .htaccess file. I don't recommend editing this file via FTP, like many others. Due to the fact that this file is regularly recreated by many plugins. E.g. all cache plugins or similar. This means your change most likely will be lost after some time. We can add our modification on a permanent basis with the following code snippet, which you can add to your functions.php:

add_filter('mod_rewrite_rules', function ($rules) {
    return $rules . "\n" .
        "#Disable directory browsing\n" .
        "Options -Indexes\n";
});

Then visit the Settings-Permalinks page in your admin panel, it'll force WordPress to recreate the .htaccess file immediately. After, you can visit YOUR_DOMAIN/wp-includes/ again to make sure that now it displays the 404 message (which is good).

Skip this step in case you use plain hosting or you uploaded the website manually, without GIT.

Many developers use GIT, which is a wonderful tool. Using GIT on production is also a good idea, but you must disable access to the .git folder via a browser in this case. Otherwise using the .git/HEAD file they'll be able to recreate all a tree of commits and get the source code of your website.

For this goal, you need to lock all /.git/* requests. You can contact your system administrator or hosting provider. In case you've enough skills and your server uses NGINX then you can reach it by adding the following code (add to the NGINX config file of your website)

# deny access to all special files and folders, like .git, .htaccess
location ~ /\. {
  deny all;
}

Don't forget to restart NGINX after it.

XML-RPC is an old feature of WordPress. Most of websites don't use it, and it exists just for compatibility with old software. This feature allows interaction with your website directly, without opening in a browser. The bad thing is that hackers can brute force passwords using this feature because even if you've changed the login url and added a captcha from the steps above, this feature still gives an option for them to check passwords.

To deny access to the file you can contact your system administrator or hosting provider. If you've enough skills, below we provide snippets that will do it:

If your server uses NGINX then you can reach it by adding the following code (add to the NGINX config file of your website):

# wordpress xmlrpc
location /xmlrpc.php {
  deny all;
}

Don't forget to restart NGINX after it.

If your server has the DirectAdmin control panel, you can connect to your server by SSH and achieve the goal by executing the following commands;

// 1. create the custom folder in the directadmin config
cd /usr/local/directadmin/data/templates
mkdir custom/; cd custom

// 2. create the necessary files in the folder and setup rights
touch nginx_server.conf.CUSTOM.4.post nginx_server_secure.conf.CUSTOM.4.post 
touch nginx_server_secure_sub.conf.CUSTOM.4.post nginx_server_sub.conf.CUSTOM.4.post
chmod 644 nginx_server.conf.CUSTOM.4.post nginx_server_secure.conf.CUSTOM.4.post
chmod 644 nginx_server_secure_sub.conf.CUSTOM.4.post nginx_server_sub.conf.CUSTOM.4.post

// 3. enter the edit mode for the new (created) config
nano nginx_server.conf.CUSTOM.4.post

// and and the content below to the file
// this is the rule that will lock the xmlrcp file
location =/xmlrpc.php 
{
    deny all;
}

// 4. copy the main config to the others
cp -p nginx_server.conf.CUSTOM.4.post nginx_server_secure.conf.CUSTOM.4.post
cp -p nginx_server_secure.conf.CUSTOM.4.post nginx_server_secure_sub.conf.CUSTOM.4.post
cp -p nginx_server_secure_sub.conf.CUSTOM.4.post nginx_server_sub.conf.CUSTOM.4.post

// 5. make the build
cd /usr/local/directadmin/custombuild/
./build rewrite_confs

We've reviewed the 5 most important steps to secure WordPress from hacking. In fact, steps 3-5 can be done by a system administrator (or hosting provider) only once and will work for all websites on your account. Since you've done them, you can be sure that you have a very good level of protection, and you can don't purchase security plugins, which are often heavy and slow down a website.